Account hijacking using 'dirty dancing' in sign-in OAuth-flows | PT SWARM
Account hijacking using "dirty dancing" in sign-in OAuth-flows
by Frans Rosén
Combining response-type switching, invalid state and redirect-uri quirks using OAuth, with third-party javascript-inclusions has multiple vulnerable scenarios where authorization codes or tokens could leak to an attacker. This could be used in attacks for single-click account takeovers. Frans Rosén, Security Advisor at Detectify goes through three different scenarios found in the wild below and also suggests ways to reduce the risk.
Contents: • Background • Current state and assumptions about OAuth credential leakage • Explanation of different OAuth-dances • Response modes • A theory: stealing tokens through postMessage • It took a lot of time to get here • Non-happy paths in the OAuth-dance • Break state intentionally • Response-type/Response-mode switching • Redirect-uri case shifting • Redirect-uri path appending • Redirect-uri parameter appending • Redirect-uri leftovers or misconfigurations • I ended up on a non-happy path. Now what? • Here be more time • URL-leaking gadgets • Other ideas for leaking URLs • A page on a domain that routes any postMessage to its opener • Conclusion • How can we fix this? • How to reduce the risk
Positive Technologies Offensive Team: twitter.com/ptswarm. This is the channel where we share articles/vulnerabilities/scripts/etc, not necessarily authored by us, that we find interesting...